A kill chain consists of seven identifiable steps (as defined by Lockheed Martin) which cyber criminals go through in order to gain access to an organization, typically by compromising a legitimate user. These steps are followed in order to extract useful data from a victim or their organization.
It’s important to understand how the kill chain works because timing is everything — for both the good guys and the bad guys. According to Humphrey Christian, VP of product management at cyber risk management provider Bay Dynamics, the earlier a company can detect the criminal in the chain, the lower the risk of system or data compromise.
The kill chain steps are as follows:
This occurs when criminals study their victims, collecting every piece of information they can use to compromise the person. For example, they may look at the company website to determine who is employed by the organization, then investigate potential victims online to gather information about them. A common tactic would be to analyze employee social media profiles to see what they can find out about the person, who they have been interacting with recently and what kinds of issues have been prominent in their minds. For instance, winning free tickets to a specific concert.
How to defend against reconnaissance
Security through obscurity is a common tactic where attractive targets are cloaked, disguised or otherwise set up to reveal as little desirable information as possible. The same principle applies here to potential victims. Encourage users to make social media accounts private, to vet potential friends/contacts and to eliminate as much public data about themselves as possible to reduce potential attack surfaces. Never put confidential or private information on public company websites.
This takes place when criminals prepare malware for delivery to victims. It can be tailored based on the results of reconnaissance, for instance to lure them into thinking they can win the free concert tickets they want by clicking a link.
How to defend against weaponization
You can’t prevent the bad guys from creating malware, but you can make your users aware that malware can be targeted towards them or their interests, conducting security education to ensure they know how to spot suspicious emails and subscribe to a conservative security mindset.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
This is when criminals deliver the malware to the victim, typically through a phishing email, such as one intended to lure them to clicking a link to win free tickets.
How to defend against delivery
User education must go hand-in-hand with proper security controls. Utilize mail filtering services and vendor controls such as Microsoft Group Policy to disable email hyperlinks to reduce the likelihood of phishing emails ever reaching your users. Set up alerts to notify IT staff of blocked attempts so they can keep track of the frequency of such efforts.
However, therein lies a problem: alert fatigue due to high levels of false positives. Christian recommended tackling these first three steps of a kill chain by using user and entity behavior analytics (UEBA) to detect unusual behavior, cyber risk analytics to link security tools together and connect the dots of an entire attack picture and artificial intelligence (AI), which underlies the analytics components to fill the security analyst gap and determine whether alerts are genuine or false positives, and act accordingly using machine learning capabilities.
This occurs when the victim opens the infected attachment/clicks on the link.
How to defend against exploitation
Anti-malware software which is routinely updated is a key element here as it will block infected attachments. Web proxy filtering is also important as it will block access to malicious websites. Of course, users working on mobile devices with data plans won’t be subject to web proxy filtering, so it’s especially important to warn users not to click on suspicious links from a mobile device outside the company’s network, and to deploy anti-malware solutions to any device used for company business, whether employee or company-owned.
SEE: IT leader’s guide to cyberattack recovery (Tech Pro Research)
This happens when the malware is downloaded onto the victim’s machine.
How to defend against installation
At this stage any security controls have clearly failed to prevent the malware from reaching the device, either because they weren’t updated, they were somehow bypassed or disabled or there aren’t current signatures available to identify a new threat.
Restricting user access privileges can play an important role in stopping the execution of malware. Taking away administrator rights (IT administrators should use non-privileged accounts for daily activities such as accessing email) can ensure that malware will fail to deliver its payload since sufficient rights to do so aren’t present.
6. Command and control
This is when the criminal has control of the victim’s machine and therefore can access the company’s network and moves around the environment looking for the crown jewels.
How to defend against command and control
«Some kill chain activity is extremely difficult for a human to detect and confirm it’s indeed a threat,» said Christian. Monitoring and alerting and employing analytics (such as UEBA) can once again help identify normal vs. abnormal behavior. Tying this in with unified security controls provides a veritable trail to follow which can pinpoint what happened here.
For example, endpoint protection detects John in marketing clicked on a suspicious link. The web proxy detects a malware download on his machine and UEBA detects multiple attempted logins into the engineering SQL server, an activity that’s unusual for him, his peers and overall business unit. Cyber risk analytics brings the events together, adds in context such as the fact that the SQL server is of high value to the company, and AI looks at the body of evidence and determines John must be bumped to investigators as a high priority threat. All of this happens in a matter of minutes before John’s compromised account is able to exfiltrate information.
SEE: Information security policy (Tech Pro Research)
7. Actions on objective
This occurs when the exfiltration stage when the bad actor steals the data, moving it outside the organization.
How to defend against actions on objective
This is the end stage of the game, so the best possible chance of seizing victory from the jaws of defeat is to utilize data loss prevention (DLP) technologies to prevent data from being transmitted out of the organization.
Numerous types of controls can ensure this: configuring email systems and web proxies to prevent confidential data from being sent, blocking access to sites which might facilitate data transfer (such as cloud storage or personal email services) turning off the use of copy/paste over remote desktop connections, and utilizing alerts to inform security staff when the above actions are attempted.
However, even this represents a last-ditch effort since criminals can always utilize screen capture programs to harvest confidential data — or even just photograph what’s on their monitor with a smartphone. Apply the recommendations associated with steps 1-6 so that the situation doesn’t reach this drastic level.